Okay, I have a packet-filtering firewall ALMOST set up. I can telnet
and ftp from the firewall to the outside, by name or by number. But I
can't telnet, ftp or resolve names from within the protected net to
outside.
On the firewall, I have the two cards looking at each other as gateways,
with the default gateway being my outside router.
Right now there's only one machine on the "safe" side of the firewall;
it points to the firewall's trusted interface as its gateway.
I'm reasonably certain that I've left out a vital rule, but the examples
I've been able to find for ipfwadm haven't been particularly
comprehensive.
Here's a list of my rules as they stand right now, stated as arguments
to ipfwadm. Eth0/192.168.1.1 is the trusted interface, and all internal
IP addresses are from the "non routable" network 192.168.1. All
defaults are set to deny.
Input rules:
Permit everything from protected net to trusted interface:
-I -a accept -P tcp -S 192.168.1.0/24 -V 192.168.1.1 -D 192.168.1.1
Permit outside mail onto the unprotected interface:
-I -a accept -P tcp -S 0.0.0.0/0 -D [outer ip address] 25
Permit incoming ftp data:
-I -a accept -P tcp -S 0.0.0.0/0 20 -D [outer ip address] 1024:65535
Permit DNS from internal server to firewall:
-I -a accept -P udp -V 192.168.1.1 -S 192.168.1.3 53 -D 192.168.1.1
Permit DNS from internal server to Internet:
-I -a accept -P udp -V 192.168.1.1 -S 192.168.1.3 53 -D 0.0.0.0/0 53
Permit DNS fron outside world to firewall (masqueraded):
-I -a accept -P udp -S 0.0.0.0/0 53 -D [outer ip address]
Let in everything with the ack bit set:
-I -a accept -P tcp -k -S 0.0.0.0/0 -D [outer ip address]
Forwarding rules:
Forward everything from the inside->out, masqued:
-F -a masquerade -P tcp -V 192.168.1.1 -S 192.168.1.0/24 -D 0.0.0.0/0
Forward DNS requests from inside->out, masqued:
-F -a masquerade -P udp -V 192.168.1.1 -S 192.168.1.3 53 -D 0.0.0.0/0 53
Output rules:
Permit everything from the outer interface to the internet:
-O -a accept -P tcp -S [outer ip address] -D 0.0.0.0/0
Permit incoming ftp data:
-O -a accept -P tcp -S 0.0.0.0/0 20 -D 192.168.1.0/24 1024:65535
Permit DNS requests out to internet:
-O -a accept -P udp -S [outer ip address] -D 0.0.0.0/0 53
Permit DNS from protected card to internal DNS server:
-O -a accept -P udp -V 192.168.1.1 -S 192.168.1.1 -D 192.168.1.3 53
Permit DNS from Internet to internal DNS (masqued):
-O -a accept -P udp -V 192.168.1.1 -S 0.0.0.0/0 53 -D 192.168.1.3 53
Permit everything from the firewall to the protected net with ack set:
-O -a accept -P tcp -k -S 0.0.0.0/0 -D 192.168.1.0/24
Part of the problem I'm having is that I don't even know how to tell
where the chain is breaking down. Is there a non-icmp way to find
out/trace routes?
Any thoughts welcome, including thoughts on a better place to ask this
question.
Thanks,
michael
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
